run immich-ml from ytnix and add tailscale0 to trustedInterfaces

hosts/ytnix/containers.nix

@@ -0,0 +1,36 @@
+{ 
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  virtualisation.oci-containers.containers = {
+    immich-ml = let
+      modelCache = "/opt/immich-ml";
+    in {
+      image = "ghcr.io/immich-app/immich-machine-learning:release";
+      autoStart = true;
+      pull = "newer";
+      ports = [ "3003:3003" ];
+      environment = {
+        REDIS_HOSTNAME = "immich-redis";
+        DB_HOSTNAME = "immich-db";
+      };
+      volumes = [ "${modelCache}:/cache" ];
+      networks = [ "immich-net" ];
+    };
+  };
+
+  systemd.services.create-immich-net = rec {
+    serviceConfig.Type = "oneshot";
+    requiredBy = with config.virtualisation.oci-containers; [
+      "${backend}-immich-ml.service"
+    ];
+    before = requiredBy;
+    script = ''
+      ${lib.getExe pkgs.podman} network exists immich-net || \
+      ${lib.getExe pkgs.podman} network create immich-net
+    '';
+  };
+}

hosts/ytnix/default.nix

@@ -10,6 +10,7 @@
     ../common.nix
     ../zsh.nix
     ./tailscale.nix
+    ./containers.nix
   ];
 
   sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@@ -86,10 +87,12 @@
     resolvconf.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [
-        8080 # mitmproxy
-        22000 # syncthing
-      ];
+      trustedInterfaces = [ "tailscale0" ];
+      # allowedTCPPorts = [
+      #   8080 # mitmproxy
+      #   22000 # syncthing
+      #   3003 # immich-ml
+      # ];
     };
   };
   programs.nm-applet.enable = true;
@@ -252,7 +255,6 @@
   xdg.mime.defaultApplications = {
     "application/pdf" = "okular.desktop";
     "image/*" = "gwenview.desktop";
-    "*/html" = "chromium-browser.desktop";
   };
 
   virtualisation = {